> ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Get an application's credential. > In FIPS mode this secret will be reset after 100 failed API key authentication attempts in a 24 hour period. ## OpenAPI ````json GET /sys/v1/apps/{app_id}/credential { "openapi": "3.0.0", "info": { "title": "Fortanix DSM REST API", "description": "This is a set of REST APIs for accessing the Fortanix Data Security Manager. This includes APIs for managing accounts, and for performing cryptographic and key management operations. \n\n **Note:** \n- All binary input should be base64-encoded. These fields are marked with `format: byte`. \n- For forward compatibility, any API client is expected to ignore any fields in the response not explicitly mentioned in the documentation. We reserve the right to add new fields at any time to provide new functionality without affecting existing API clients.", "termsOfService": "https://www.fortanix.com/legal/terms/", "contact": { "name": "Fortanix Support", "url": "https://support.fortanix.com/", "email": "support@fortanix.com" }, "license": { "name": "Apache 2.0", "url": "http://www.apache.org/licenses/LICENSE-2.0.html" }, "version": "0.1.0-20260526" }, "servers": [ { "url": "https://amer.smartkey.io" } ], "paths": { "/sys/v1/apps/{app_id}/credential": { "get": { "operationId": "GetAppCredential", "tags": [ "Apps" ], "security": [ { "bearerToken": [] }, { "apiKeyAuth": [] } ], "summary": "Get an application's credential.", "description": "In FIPS mode this secret will be reset after 100 failed API key authentication\nattempts in a 24 hour period.", "parameters": [ { "name": "app_id", "in": "path", "required": true, "schema": { "type": "string", "format": "uuid" } } ], "responses": { "2XX": { "description": "Success result", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AppCredentialResponse" } } } } } } } }, "components": { "schemas": { "AppCredentialResponse": { "allOf": [ { "type": "object", "description": "App credential response.", "properties": { "app_id": { "type": "string", "format": "uuid", "description": "Unique identifier of the App." }, "credential": { "$ref": "#/components/schemas/AppCredential" }, "previous_credential": { "$ref": "#/components/schemas/PreviousCredential" } }, "required": [ "app_id", "credential" ] } ] }, "AppCredential": { "oneOf": [ { "title": "AppCredentialVariantAll", "type": "object", "properties": { "all": { "type": "array", "items": { "$ref": "#/components/schemas/OneAppCredential" } } }, "required": [ "all" ] }, { "$ref": "#/components/schemas/OneAppCredential" } ] }, "PreviousCredential": { "allOf": [ { "type": "object", "description": "Expired app-credentials that are still valid for a transitional period.", "properties": { "credential": { "$ref": "#/components/schemas/AppCredential" }, "valid_until": { "type": "string", "pattern": "^\\d{4}\\d{2}\\d{2}T\\d{2}\\d{2}\\d{2}Z$", "example": "20170509T070912Z", "description": "Validity period of the App credentials." } }, "required": [ "credential", "valid_until" ] } ] }, "OneAppCredential": { "description": "App authentication mechanisms.", "oneOf": [ { "title": "OneAppCredentialVariantSecret", "type": "object", "properties": { "secret": { "type": "string", "description": "Authenticating credentials of an App." } }, "required": [ "secret" ] }, { "title": "OneAppCredentialVariantCertificate", "type": "object", "properties": { "certificate": { "type": "string", "format": "byte", "description": "PKI Certificate based authentication." } }, "required": [ "certificate" ] }, { "title": "OneAppCredentialVariantTrustedCa", "type": "object", "properties": { "trustedca": { "$ref": "#/components/schemas/TrustedCaCredential" } }, "required": [ "trustedca" ] }, { "title": "OneAppCredentialVariantGoogleServiceAccount", "type": "object", "properties": { "googleserviceaccount": { "$ref": "#/components/schemas/GoogleServiceAccountCredential" } }, "required": [ "googleserviceaccount" ] }, { "title": "OneAppCredentialVariantSignedJwt", "type": "object", "properties": { "signedjwt": { "$ref": "#/components/schemas/SignedJwtCredential" } }, "required": [ "signedjwt" ] }, { "title": "OneAppCredentialVariantLdap", "type": "object", "properties": { "ldap": { "type": "string", "format": "uuid", "description": "LDAP credentials of an App used for authentication." } }, "required": [ "ldap" ] }, { "title": "OneAppCredentialVariantAwsIam", "type": "object", "properties": { "awsiam": { "type": "object", "properties": {} } }, "required": [ "awsiam" ] }, { "title": "OneAppCredentialVariantAwsXks", "type": "object", "properties": { "awsxks": { "$ref": "#/components/schemas/AwsXksCredential" } }, "required": [ "awsxks" ] }, { "title": "OneAppCredentialVariantGoogleWorkspaceCse", "type": "object", "properties": { "googleworkspacecse": { "type": "object", "properties": {} } }, "required": [ "googleworkspacecse" ] } ] }, "TrustedCaCredential": { "allOf": [ { "type": "object", "description": "`TrustedCa` app auth configuration.", "properties": { "check_revocation": { "type": "boolean", "nullable": true, "description": "When `true`, revocation status of certificates is checked, and revoked\ncertificates are rejected" } } }, { "$ref": "#/components/schemas/TrustAnchorSubject" }, { "$ref": "#/components/schemas/TrustAnchor" } ] }, "GoogleServiceAccountCredential": { "allOf": [ { "type": "object", "properties": { "access_reason_policy": { "$ref": "#/components/schemas/GoogleAccessReasonPolicy" }, "groups": { "type": "object", "additionalProperties": { "type": "array", "items": { "$ref": "#/components/schemas/GcpAppPermissions" } }, "nullable": true, "description": "Mapping for all groups an application is part of and the Gcp specific permissions it has within each of those groups." } } } ] }, "SignedJwtCredential": { "allOf": [ { "type": "object", "properties": { "valid_issuers": { "type": "array", "uniqueItems": true, "items": { "type": "string" } }, "signing_keys": { "$ref": "#/components/schemas/SigningKeys" }, "private_claims_policy": { "$ref": "#/components/schemas/PrivateClaimsPolicy" } }, "required": [ "valid_issuers", "signing_keys" ] } ] }, "AwsXksCredential": { "allOf": [ { "type": "object", "properties": { "access_key_id": { "type": "string" }, "secret_key": { "type": "string" } }, "required": [ "access_key_id", "secret_key" ] } ] }, "TrustAnchorSubject": { "description": "Subjects or subject alternative names (SANs) for trusted CA auth.\nDSM will check the subject field and any SANs inside incoming\nclient certificates and compare them against the subjects configured\nin the trusted CA auth config.", "oneOf": [ { "title": "TrustAnchorSubjectVariantSubject", "type": "object", "properties": { "subject": { "type": "array", "items": { "type": "array", "minItems": 2, "maxItems": 2, "items": { "type": "string" } }, "description": "A single subject as a list of OID/value string pairs\n(representing a sequence of relative distinguished names), which\nshould appear in the client cert's subject field and/or as one\nof its SANs.\n\nThis legacy variant is retained for backcompat purposes, and is\nequivalent to specifying a directoryName via the SubjectGeneral\nvariant." } }, "required": [ "subject" ] }, { "title": "TrustAnchorSubjectVariantSubjectGeneral", "type": "object", "properties": { "subject_general": { "$ref": "#/components/schemas/SubjectGeneral" } }, "required": [ "subject_general" ] }, { "title": "TrustAnchorSubjectVariantSubjects", "type": "object", "properties": { "subjects": { "type": "array", "items": { "$ref": "#/components/schemas/SubjectGeneral" }, "description": "List of allowed GeneralName subjects. At least one of the values\nin this list must appear in the client cert, under its subject\nfield and/or as one of its SANs.\n\nCurrently, DSM supports at most 16 subjects." } }, "required": [ "subjects" ] } ] }, "TrustAnchor": { "description": "Trust anchors (i.e., root CA certificiates) for a [`TrustedCaCredential`].", "oneOf": [ { "title": "TrustAnchorVariantCaCertificate", "type": "object", "properties": { "ca_certificate": { "type": "string", "format": "byte", "description": "A single root CA certificate." } }, "required": [ "ca_certificate" ] }, { "title": "TrustAnchorVariantCaCertificates", "type": "object", "properties": { "ca_certificates": { "type": "array", "items": { "type": "string", "format": "byte" }, "description": "Multiple root CA certificates. DSM currently supports up to 16 certs." } }, "required": [ "ca_certificates" ] } ] }, "GoogleAccessReasonPolicy": { "allOf": [ { "type": "object", "description": "Policy specifying acceptable access reasons\nby Google Service Account at App or Sobject level.", "properties": { "allow": { "type": "array", "uniqueItems": true, "items": { "$ref": "#/components/schemas/GoogleAccessReason" }, "description": "Set of allowed Google Access reasons." }, "allow_missing_reason": { "type": "boolean", "description": "Accept incoming requests which do not specify any access reasons." } }, "required": [ "allow", "allow_missing_reason" ] } ] }, "GcpAppPermissions": { "description": "\n\n\n CRYPTO_SPACE_GET_INFO:\n\n\n CRYPTO_SPACE_GET_PUBLIC_KEY:\n\n", "type": "string", "enum": [ "CRYPTO_SPACE_GET_INFO", "CRYPTO_SPACE_GET_PUBLIC_KEY" ] }, "SigningKeys": { "description": "Signing keys used to validate JSON Web Signature objects including signed\nJSON Web Tokens.", "oneOf": [ { "$ref": "#/components/schemas/SigningKeysVariantStored" }, { "$ref": "#/components/schemas/SigningKeysVariantFetched" } ], "discriminator": { "propertyName": "kind", "mapping": { "stored": "SigningKeysVariantStored", "fetched": "SigningKeysVariantFetched" } } }, "PrivateClaimsPolicy": { "allOf": [ { "type": "object", "properties": { "definition": { "$ref": "#/components/schemas/PolicyDefinition" } }, "required": [ "definition" ] } ] }, "SubjectGeneral": { "description": "A GeneralName that can be used as a [subject alternative name][SAN] in\na certificate.\n\nToday, the directoryName, dNSName, and iPAddress choices are supported.\nNote that directoryName can also be used to represent the subject field\nin a certificate.\n\n[SAN]: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6", "oneOf": [ { "title": "SubjectGeneralVariantDirectoryName", "type": "object", "properties": { "directory_name": { "type": "array", "items": { "type": "array", "minItems": 2, "maxItems": 2, "items": { "type": "string" } }, "description": "A directoryName, which consists of a sequence of (type, value)\npairs, where type is an OID, and value is a DER-encoded ASN.1\nvalue. (This represents a sequence of relative distinguished\nnames.)" } }, "required": [ "directory_name" ] }, { "title": "SubjectGeneralVariantDnsName", "type": "object", "properties": { "dns_name": { "type": "string", "description": "A DNS name." } }, "required": [ "dns_name" ] }, { "title": "SubjectGeneralVariantIpAddress", "type": "object", "properties": { "ip_address": { "oneOf": [ { "type": "string", "format": "ipv4" }, { "type": "string", "format": "ipv6" } ], "description": "An IP address." } }, "required": [ "ip_address" ] } ] }, "GoogleAccessReason": { "description": "An access reason provided by Google when making EKMS API calls.", "type": "string", "enum": [ "REASON_UNSPECIFIED", "CUSTOMER_INITIATED_SUPPORT", "GOOGLE_INITIATED_SERVICE", "THIRD_PARTY_DATA_REQUEST", "GOOGLE_INITIATED_REVIEW", "CUSTOMER_INITIATED_ACCESS", "GOOGLE_INITIATED_SYSTEM_OPERATION", "REASON_NOT_EXPECTED", "MODIFIED_CUSTOMER_INITIATED_ACCESS", "MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION", "GOOGLE_RESPONSE_TO_PRODUCTION_ALERT", "CUSTOMER_AUTHORIZED_WORKFLOW_SERVICING" ] }, "SigningKeysVariantStored": { "allOf": [ { "type": "object", "properties": { "kind": { "type": "string", "enum": [ "stored" ] } }, "required": [ "kind" ] }, { "$ref": "#/components/schemas/SigningKeysStored" } ] }, "SigningKeysVariantFetched": { "allOf": [ { "type": "object", "properties": { "kind": { "type": "string", "enum": [ "fetched" ] } }, "required": [ "kind" ] }, { "$ref": "#/components/schemas/SigningKeysFetched" } ] }, "PolicyDefinition": { "oneOf": [ { "$ref": "#/components/schemas/PolicyDefinitionVariantRego" } ], "discriminator": { "propertyName": "$type", "mapping": { "rego": "PolicyDefinitionVariantRego" } } }, "SigningKeysStored": { "allOf": [ { "type": "object", "properties": { "keys": { "type": "object", "additionalProperties": { "type": "string", "format": "byte" }, "description": "Mapping key ids to DER-encoded public key." } }, "required": [ "keys" ] } ] }, "SigningKeysFetched": { "allOf": [ { "type": "object", "properties": { "url": { "type": "string" }, "cache_duration": { "type": "integer", "description": "Number of seconds that the service is allowed to cache the fetched keys." } }, "required": [ "url", "cache_duration" ] } ] }, "PolicyDefinitionVariantRego": { "allOf": [ { "type": "object", "properties": { "$type": { "type": "string", "enum": [ "rego" ] } }, "required": [ "$type" ] }, { "$ref": "#/components/schemas/PolicyDefinitionRego" } ] }, "PolicyDefinitionRego": { "allOf": [ { "type": "object", "description": "A policy definition defined using the Rego policy language as outlined in\nthe [Open Policy Agent](https://www.openpolicyagent.org/docs/policy-language) docs.\n\nThe DSM backend will pass an input to the Rego engine and the format is defined as such:\n- A JSON object that nests the JWT body one level, where the root key is `jwt_body`.\n- From the policy, this object is accessible via the `input` (OPA defined) variable.\n\nAn example of the input object:\n```json\n{\n\"jwt_body\": { < jwt body contents > }\n}\n```\n\nAn example policy indexing into the input:\n\n```rego\npackage my_example\n\ndefault allow := false\n\nallow if {\ninput.jwt_body.my_private_claims.employee == \"Alice\"\n}\n```\n\nThe expected policy format is defined as such:\n- A **required** variable defined as `allow` of type boolean. This should be updated true or false based on any other processing done.\n- An **optional** field defined as `additional_logging` if the client wishes to include other information not captured in existing audit logs for JWT auth apps.\n- Note: `additional_logging` is *limited to a max length of 128 UTF-8 bytes* and corresponds to the `client_provided_context` field on the `AuditLog` model.", "properties": { "value": { "type": "string" } }, "required": [ "value" ] } ] } } } } ````